Win200 Server security is more powerful than Win2K, but is it really safe to use Win2003 Server as a server? How can I create a secure personal web server? Let's take a brief introduction ... I. Windows Server2003 installation 1. Install the minimum number of partitions in the installation system, the partition format uses NTFS format 2, install 2003 system 3 in the case of disconnecting the network, install IIS, Install only the necessary IIS components (disable unwanted as FTP and SMTP services). By default, the IIS service is not installed, select "Application Server" in the Add / Remove Win component, then click "Details", double-click Internet Information Service (IIS), check the following options: Internet Information Service Manager; File; Background Intelligent Transmission Service (BITS) server extension; web service. If you use the FrontPage extended Web site to check: FrontPage 2002 Server Extensions 4, install MSSQL and other required software then make Update. 5. Use Microsoft's MBSA (Microsoft Baseline Security Analyzer tool to analyze your computer security configuration and identify the missing patch and update. Download Address: See the link at the end of the page 2, setting up and manage account 1, the system administrator account is best to build, change the default administrator account name (Administrator) and description, the password is best to use the number to increase lowercase letters plus numbers The upper button is combined, the length is preferably not less than 14 digits. 2. Newly built a trap account called Administrator, set the minimum permissions for it, and then enter the preferred not less than 20 digits 3, disable the guest account and change the name and description, then enter a complex password. Of course, there is also a DELGUEST tool now, maybe you can also use it to delete the guest account, but I have not tried it. 4, enter the gpedit.msc Enter, open the Group Policy Editor, select Computer Configuration - Windows Settings - Security Settings - Account Policy - Account Lock Policy, set the account to "three logins invalid", "Lock 0 minutes, "The reset lock count is 30 minutes". 5, in the security settings - local policy - security options Set "Not Display User Name" to enable 6, in Security Settings - Local Policy - User Rights Allocation "From Network Access this Computer" only in Internet The guest account starts the IIS process account. If you use ASP.NET, you have to keep an ASPNET account. 7. Create a USER account, run the system, if you want to run the privilege command to use the runas command.
Third, Network Service Safety Management 1, prohibiting the default sharing of C $, D $, Admin $, HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / SYSTEM / CURRENTCONTROLSET / SYSTEM / CURRENTCONTROLSET / SYSTEM / CURRENTCONTROLSET / SERVICES / LANMANSERVER / Parameters, new DWORD values in the window, name Set to AutoShareserver value to 0 2. Release NetBIOS and TCP / IP protocol Binds Right-click on the online neighbor - attribute - right-click local connection - Properties - Double-click Internet Protocol - Advanced -Wins - Disable TCP / IP NetBIOS 3, close Unwanted services, the following is recommended Computer Browser: Maintain network computer update, disable Distributed File System: LAN Management Shared File, no need to disable Distributed LinkTracking Client: Used for LAN Update Connection Information, do not need to disable error Reporting Service: Forbidden send Error Report Microsoft Serch: Provides fast word search, no need to disable NTLMSecuritySupportProvideo: Telnet service and Microsoft Serch, do not need to disable PrintSpooler: If no printer can disable Remote Registry: Prohibit Remote Modification Registry Remote Desktop Help Session Manager: Disable Remote Assistance 4, open the corresponding audit policy Enter the gpedit.msc Enter, open the Group Policy Editor, select Computer Configuration - Windows Settings - Security Settings - Audit Policy Need to pay attention to the project if you review Too many, the more events that are generated, then you want to find serious events, it is, and you will, if you have too few reviews, you will affect the serious events, you need to make a choice based on the situation. Recommended items to be reviewed is: Login Event success failure account login event success failure system event success failure policy change Success failure object Access failed directory service access failed privilege failed 5, other security related settings 1, hidden important file / directory can be modified The registry is fully hidden: "HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows / Current-Version / Explorer / Advanced / Folder / Hi-DDEN / Showll", the mouse right-click "CheckedValue", select the modification, change the value from 1 to 0 2 The Internet Connection Firewall comes with the launch system, check the web server in the setup service option.
3, prevent SYN flood attacks HKEY_LOCAL_MACHINE / SYSTEM / CurrentControlSet / Services / Tcpip / Parameters New DWORD value called the SynAttackProtect, a value of 2 4. The prohibition response ICMP router advertisement messages HKEY_LOCAL_MACHINE / SYSTEM / CurrentControlSet / Services / Tcpip / Parameters / Interfaces / interface New DWORD value called a value of 0 5. PerformRouterDiscovery prevent ICMP redirect attacks HKEY_LOCAL_MACHINE / SYSTEM / CurrentControlSet / Services / Tcpip / Parameters EnableICMPRedirects value of 0 will not support the IGMP protocol 6. HKEY_LOCAL_MACHINE / SYSTEM / CurrentControlSet / Services / TCPIP / Parameters new DWORD value, named IGMplevel value is 0 7, disabled DCOM: Run Enter dcomcnfg.exe. Enter, click Component Services under "Control Bengen Node". Open the Computer subfolder. For local computers, right-click My Computer and select Properties. Select the Default Properties tab. Clear "Enable Distributed COM on this computer" checkbox. Note: 3-6 Item I use the Server2000 settings, not tested whether to work for 2003. But one thing can be sure that I have not found the impact of other departments. 6. Configuring IIS services: 1, do not use the default web site, if you use it to separate the IIS directory with the system disk. 2. Remove the IIS default created INETPUB directory (on the installation system). 3. Delete the virtual directory under the system, such as _vti_bin, Iissamples, Scripts, Iishelp, Iisadmin, Iishelp, MSADC. 4. Delete unnecessary IIS extension mappings. Right-click the Default Web Site → Properties → Home Directory → Configuration, open the application window, remove unnecessary application mappings. Mainly .SHTML, .shtm, .stm 5 The version of IE6.0 running in 2003 is not required. 7. Using Urlscan Urlscan is an ISAPI filter, which analyzes the incoming HTTP packet and rejects any suspicious traffic. The latest version is 2.5, if It is 2000Server to install 1.0 or 2.0 version. Download the address is not available. If there is no special requirement, you can use the URLScan default configuration. But if you run the ASP.NET program in the server, you need to debug you to open % Windir% / system32 / inetsrv / urlscan folder, then add a debug predicate in the UseralLowVerbs section, pay attention to this section is case sensitive. If your web is .asp page, you need to delete .asp .asp Related content.
If your page uses a non-ASCII code, you need the value of the Option will be set to 1 in the section AllowHighBitCharacters after URLScan.ini made changes to the file, you need to restart IIS services to take effect, rapid method if you run, enter iisreset What is wrong after configuration, you can delete Urlscan by adding / deleting programs. 8. Use the WIS (Web Injection Scanner) to perform SQL INJECTION vulnerability scan for the entire website. Download address: [http://www.fanvb.net/websample/othersample.aspx] VB.NET enthusiast [/ url] seven Configuring SQL Server 1, the System Administrators role is preferably not more than two 2, if it is best to configure authentication as WIN login 3, do not use a SA account, configure a super complex password 4, delete the following the format for the extended stored procedure: use master sp_dropextendedproc 'extended stored procedure name' xp_cmdshell: is the best shortcut to entering the operating system, delete the registry access stored procedures, remove Xp_regaddmultistring Xp_regdeletekey Xp_regdeletevalue Xp_regenumvalues xp_regread Xp_regwrite Xp_regremovemultistring OLE Automation stored Procedures, no delete Sp_OACreate sp_OADestroy sp_OAGetErrorInfo sp_OAGetProperty Sp_OAMethod sp_OASetProperty sp_OAStop 5, hidden SQL Server, change the default port 1433 Right-click the instance of the selected property - General - network configuration select properties TCP / IP protocol, select the hidden SQL Server instance, and changes to the default of 1433 port. 8. If you only do only the server, use IPSec 1, Administrative Tool - Local Security Policy - Right-click IP Security Policy - Manage IP Filter Table and Filter Action - Click Add in Manage IP Filter Table options - Name is set to Web Filter - Click Add - Enter the web server in the description - Set the source address to any IP address - set the target address to my IP address - the protocol type is set to TCP - IP protocol port first The item is set from any port, the second item to this port 80 - Click Finish - Click OK. 2, click Add to add - Name Set to All Inbound Filters - Click Add - Enter all Inbound Filters in Description - Set the source address to any IP address - set the target address to My IP address - protocol type is arbitrary - click Next - Complete - Click OK. 3. Click Add under Manager Operation Options - Next - Enter Block in Name - Next - Select Block - Next - Complete - Turn off Manage IP Filter Table and Filter Operation Window 4 , Right-click IP Security Policy - Create IP Security Policy - Next - Name Enter Packet Filter - Next - Cancel Default Activation Response Principle - Next - Complete 5, open IP Security Policy Properties Window Select Add - Next - Do Not Specify Tunnel - Next - All Network Connections - Next - Select New Web Filters in the IP Filter list - Next - in Filter Select License in Operation - Next - Complete - Select New Block Filter in the IP Filter list - Next - Select Block in the filter operation - Next - Complete - Determine 6, Right-click the newly built packet filter in the right window of the IP security policy, click the assignment, no need to restart, IPsec can take effect. Jiu, recommended if you go on this article, it is recommended to test the server every other change. If there is a problem, you can cancel the changes immediately.
